Our smart factory honeypot proves ICS attacks are rife

by Ian Heritage

The world is getting smarter, and that includes the factories and industrial facilities that do everything from generate power to manufacture the products we love. In practice, this means IoT systems that streamline business processes and enhance productivity. But this race for innovation comes at a cost. As operational technology (OT) converges with IT, threats are starting to emerge via outdated communications protocols, IT siloes and hardware not designed for regular patching.

When we talk about Industry 4.0 threats, it’s often in the context of sophisticated nation state-backed attempts to disrupt power or sabotage production lines. But in reality, commodity attacks are a bigger imminent concern. That isn’t a reason to hold back on security. In fact, it’s a reason you should prioritise defensive measures.

To find out more, Trend Micro recently built its own smart factory honeypot.

Catch them if you can

Honeypots are a tried-and-tested way for security researchers to gather crucial intelligence about their opponents. But with attackers now wise to such tactics, the white hat community has to go to extra lengths to disguise such systems so they pass as legitimate. For this project, Trend Micro decided to pose as a small industrial prototyping “boutique” consultancy working on sensitive projects for highly specialised customers. The deception stretched to building a complete website and social media profiles for the firm’s ‘employees’.

To add authenticity to the honeypot, the research team used real Industrial Control System (ICS) hardware and a mix of physical hosts and VMs. Several programmable logic controllers (PLCs), human machine interfaces (HMIs), separate robotic and engineering workstations and a file server completed the picture. To lure attackers, specific ports were left open without passwords to enable services such as VNC, and information was posted to Pastebin to make the fake company easier to find.

What we found

The honeypot was compromised in a cryptojacking attack, targeted by two separate ransomware raids, and used in fraud schemes — specifically the upgrading of victims’ cell phone accounts to buy new iPhones and the cashing out of airline miles for gift cards. This tells us a couple of interesting things about smart factory security.

First, it’s not all about sophisticated multi-stage attempts to disrupt processes and/or steal highly sensitive corporate information. These attacks were fairly mundane, but still enough to cause especially smaller organisations some significant problems.

Next, it is clear that best practice security measures do work. Even the most basic security measures we had in place initially kept attackers from attempting to infiltrate the honeypot. It was only when we opened up the VNC port, for example, that it was infected with cryptocurrency malware.

We’d therefore urge IT security bosses managing smart factory environments to ensure they follow industry advice: by limiting the number of ports they open and following strict access control policies according to least privilege.

This is just the start. Such policies should be enhanced by reputable security solutions built specifically for such environments, to protect against vulnerability exploitation and unsecured communications channels, and provide enhanced visibility into OT assets.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.